Overview
overview
6Static
static
3lunar-clie..._3.exe
windows7-x64
4lunar-clie..._3.exe
windows10-2004-x64
4$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
6$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3$R0/Uninst...nt.exe
windows7-x64
4$R0/Uninst...nt.exe
windows10-2004-x64
5$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
374s -
max time network
354s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
lunar-client-v3_2_3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
lunar-client-v3_2_3.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
$R0/Uninstall Lunar Client.exe
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
$R0/Uninstall Lunar Client.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240220-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240412-en
Errors
General
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
0d7ad4f45dc6f5aa87f606d0331c6901
-
SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457
-
SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
-
SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
SSDEEP
192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 448 2008 WerFault.exe rundll32.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msedge.exepid process 4884 msedge.exe 4884 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SystemSettingsAdminFlows.exedescription pid process Token: SeBackupPrivilege 740 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 740 SystemSettingsAdminFlows.exe Token: SeSystemEnvironmentPrivilege 740 SystemSettingsAdminFlows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SystemSettingsAdminFlows.exeLogonUI.exepid process 740 SystemSettingsAdminFlows.exe 228 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exemsedge.exedescription pid process target process PID 872 wrote to memory of 2008 872 rundll32.exe rundll32.exe PID 872 wrote to memory of 2008 872 rundll32.exe rundll32.exe PID 872 wrote to memory of 2008 872 rundll32.exe rundll32.exe PID 4960 wrote to memory of 3744 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 3744 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4596 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4884 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4884 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4412 4960 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 6123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2008 -ip 20081⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb2a8c28fhdc7ch4604hbe09hdef5c4ba1da01⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8121846f8,0x7ff812184708,0x7ff8121847182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,18420039577170682925,10909030234721750972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,18420039577170682925,10909030234721750972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,18420039577170682925,10909030234721750972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:82⤵
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3965855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\bootim.exebootim.exe /startpage:11⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD570ae4bf8f75c69610c1d00131c1ec28c
SHA1eab92c184a3b655377f375b1b25ef85fb06c7130
SHA2569f46453862eb083e85697631455185c0ead19ec86c1ae3d15274c06c9a38731b
SHA51229299dbc0114f01525bff67ec421a28056905e8f5d21f00502554f446883b6086f8b9a2c27a591f364077da17c21438910b8dbf163a59f6f80272eb7d5f05c68
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5d76a9a6dcd771fadb538ee932359f68c
SHA1b93b883d43e69d7c09b43d6925f4a412349edddd
SHA256415e0dd85bcf0de90df1e016f3b940ca96c0f24687455e3c8be5c6c84a370a07
SHA5128481939c8cd57471a86972b62fee3a442d42b40baa38cfb05c7e3f56bdeb7b3090a905457e1b780b717dd215e3e47aba790c987eea29ba540729c87c346ad4a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5a8fb416072b1c365e60610871393228e
SHA1daf2f946f89daf86b0a55b62b195dd6a764006fc
SHA2561ee6f28330fd3e5a46e004e9ece2175afccf6aff0fb6a35b3525efb9275e5d0f
SHA512b856d5e8ee54905f98fd5edd2f700533fa66213b9a4c67feed795378194323e3ee67b6dc457603c876e8352066d8e4d1730a70f4e0d1651b106e3ffada5ee86a